Professional Documents
Culture Documents
A New Extension of The EAP-TLS Protocol Based On Quantum Cryptography
A New Extension of The EAP-TLS Protocol Based On Quantum Cryptography
HTTPS://SITES.GOOGLE.COM/SITE/JOURNALOFCOMPUTING/
WWW.JOURNALOFCOMPUTING.ORG 25
Abstract—Quantum Cryptography or Quantum key distribution (QKD) is a new technique that allows the secure distribution of
a bit string, used as a key in cryptographic protocols. It solves the key distribution problem by allowing the exchange of a
cryptographic key between two remote parties with absolute security, guaranteed by the laws of quantum physics. Extensive
studies have been undertaken on quantum cryptography since it was noted that quantum computers could break public key
cryptosystems based on number theory. Now, the research progress in this field allows the implementation of QKD outside
laboratories and efforts are made to exploit this technology in the existing communication networks and so as to improve the
performance and reliability of the implemented technologies. Due to the limited coverage area, the environment of wireless local
area network (LAN) environment offers potentially a chance to let quantum key distribution (QKD) play a role in the wireless
communication. In this paper, we explore the possibility of using QKD for wireless LAN; we propose a scheme for integrating
quantum cryptography in the EAP-TLS protocol. This will contribute to enhance the security of the process of authentication.
Also, we present an example to illustrate the feasibility of our scheme’s implementation.
Index Terms— BB84 Protocol, Quanum Cryptography, Quantum Key Distribution (QKD), EAP-TLS protocol, Network Security.
—————————— ——————————
1 INTRODUCTION
TLS protocol. We introduce also an example to show the 3 THE EAP-TLS AUTHENTICATION PROTOCOL
possible applicability of our new scheme EAP-TLS
3.1 The EAP-TLS Conversation: Base Case
protocol. Finally, in section 6 we conclude the paper.
While defined in [22], the EAP methods did not support
mutual authentication, the use of EAP with wireless
2 DESCRIPTION OF RELATED WORKS technologies has resulted in development of a new set of
Quantum Key Distribution is a point to point secure key requirements. As presented in [23], it is desirable for EAP
generation technology which provides unconditional methods used for wireless LAN authentication to support
security. Actually, a new innovative approach is studying mutual authentication and key derivation. EAP-Transport
by researchers with the main goal to exploit the security Layer Security (EAP-TLS) [2] as a solution includes
of Quantum Cryptography for a large scale practical support for certificate-based mutual authentication and
communication. Indeed, the practical realization of QKD key derivation, utilizing the protected ciphersuite
opened new research in the area of secure QKD negotiation, mutual authentication and key management
networking. There are some approaches and models for capabilities of the TLS protocol [24].
the utilization of Quantum Cryptography to secure We use the following terminology as it is noted in [2]:
communications. Authenticator: The entity initiating the EAP authentication.
One approach is to use QKD in network fashion. Peer: The entity that gives a response to the authenticator.
SECOQC (SEcure COmmunication based on Quantum Backend authentication server: The entity that provides to
Cryptography) network of secrets and BBN DARPA an authenticator an authentication service.
(Defense Advanced Research Projects Agency) quantum EAP server: The entity that terminates with the peer the
network are examples of such networks. EAP authentication method. The EAP server is located on
The DARPA Quantum Network was jointly elaborated by the backend authentication server in the case where the
researchers at Boston University, Harvard University, authenticator operates in pass-through mode.
and BBN Technologies in 2004 [3]. The goal of this point- As described in [2], the EAP-TLS conversation will
to-point DARPA Quantum network is to use QKD begin with the authenticator and the peer negotiating
technology for standard internet traffic. The DARPA EAP. The authenticator will send an EAP-
Quantum network is the first network that delivers end- Request/Identity packet to the peer, and the peer will
to-end network security via high-speed Quantum Key respond with an EAP-Response/Identity packet,
Distribution, and it is tested that Network is immune containing the peer's user-Id. From this point forward, as
against sophisticated eavesdropping attacks. The first nominally the EAP conversation occurs between the EAP
network link has been up and steadily operational Since authenticator and the peer, the authenticator may act as a
December 2002 [4]. More detailed descriptions of DARPA pass-through device, with the EAP packets received from
Quantum network may be found in papers [3-5]. the peer being encapsulated for transmission to a backend
The European project SECOQC was a big research authentication server (EAP server). Fig. 1 describes the
effort of 41 research and industrial organizations from the EAP-TLS conversation in its base case.
European Union, Switzerland and Russia, which was The peer and the EAP server during the EAP-TLS
initiated in 2003 and carried out between April 2004 and conversation must verify that the contents of messasges
October 2008. The SECOQC provide an approach to QKD are correct and thus check if the key exchange and
networks with a focus on the trusted repeater prototype authentication processes were successful. This is done by
[6]. Description about SECOQC can be found in papers computing the TLS finished messages by the formula [24]:
[7-9]. PRF (master _ secret , finished _ label , MD 5(handshake _ messages )
Other models and approaches in using QKD in SHA 1(handshake _ messages ))
network fashion are introduced in the literature as [10-
13]. For example, in the article [11], the authors describe Here PRF is a pseudo-random function defined in [23].
how the ATM (Aeronautical Telecommunication For finished_label, we use the string “server finished” for
Network) can be secured by QKD, either by optical fiber the message sent by the EAP server and “client finished”
or free air. for that sent by the peer. MD5 [25] and SHA-1[26] are a
A different approach is to exploit QKD in the existing secure hashing functions. The handshake_messages
protocols which widely used on the internet to enhance includes all handshake messages starting at client hello
security with the main goal to attain unconditional up to, but not including, this TLS finished message. So,
security. The papers [14-21] give some example of such the handshake_messages for the TLS finished message
approach. In these papers the researchers present a sent by the peer will be different from that for the TLS
models and schemes to integrate QKD in classical finished message sent by the EAP server, because the one
security protocols as IPsec, PPP and TLS. that is sent second will include the prior one. The
Our work is related to this last approach. We present a master_secret is defined by the formula [24]:
technique to integrate QKD in the EAP-TLS master _ secret PRF ( pre _ master _ secret , "master secret " ,
authentication protocol in the order to enhance the Client .random Servero.random )
security of the authentication process.
Client.random and Server.random are the random
numbers generated by the peer and the EAP server
respectively. The value of pre_master_secret is generated
JOURNAL OF COMPUTING, VOLUME 2, ISSUE 9, SEPTEMBER 2010, ISSN 2151-9617
HTTPS://SITES.GOOGLE.COM/SITE/JOURNALOFCOMPUTING/
WWW.JOURNALOFCOMPUTING.ORG 27
TLS certificate_verify,
TLS change_cipher_spec, algorithm, this key can then be used to encrypt and
TLS finished) decrypt a message, which can then be transmitted over a
EAP-Request/ standard communication channel.
EAP-Type=EAP-TLS The Quantum Cryptography protocol BB84 was the
(TLS change_cipher_spec, first studied and practical implemented QKD physical
TLS finished)
layer protocol. Gilles Brassard and Charles Bennett
elaborated this protocol in 1984 in their article [28]. This
EAP-Response/
protocol is certainly the most famous and most realized
EAP-Type=EAP-TLS
quantum cryptography protocol. Its scheme uses the
EAP-Success transmission of single polarized photons (as quantum
states). The photons’ polarizations are four, and are
grouped together in two non orthogonal basis.
Fig. 1. The EAP-TLS conversation [2] The two non-orthogonal basis are generally presented as
follows:
3.2 The EAP-TLS Request and the EAP-TLS - The horizontal (0°) and vertical polarization (+90°) form
Response Packets the base , and we denote the base states with the
The EAP-TLS Request and the EAP-TLS Response intuitive notation: 0 and 1 . We have = { 0 , 1 } .
packets format is shown in Fig. 2. The fields are - The diagonal polarizations (+45°) and (+135°) are the
exchanged from left to right.
elements of the base . The two base states are and
1 1
with ( 0 1 ) and ( 0 1 ) . We
2 2
have = { , } .
JOURNAL OF COMPUTING, VOLUME 2, ISSUE 9, SEPTEMBER 2010, ISSN 2151-9617
HTTPS://SITES.GOOGLE.COM/SITE/JOURNALOFCOMPUTING/
WWW.JOURNALOFCOMPUTING.ORG 28
The information (bits), taken from a random number | a | | c | 1 ( | a | is the absolute square of the amplitude
2 2 2
TABLE 1
chooses the basis to measure a photon in state 1 , the
ASSOCIATION BETWEEN INFORMATION (BIT) AND THE BASIS IN traditional outcome will be either 0 or 1 with equal
THE BB84 PROTOCOL
1
probability because 1 ( ) ; if the basis was
2
Bit
chosen instead, the classical outcome would be exactly 1
0 0 a 00 a 10
because 1 1 1 0 0 .
1 1 a 01 a 11 In order to detect Eve, Alice and Bob test for
eavesdropping in step 2b). Wherever Alice and Bob’s bases
The BB84 protocol can be described as follows [19], [28- are identical (i.e. bi bi' ), the idea is that, the
30]:
corresponding bits should match (i.e. d i d i ). If not, an
'
1) Quantum Transmissions (First Phase)
a) Alice generates a random string of bits d {0,1} , and a
n
external disturbance is detected or there is noise in the
quantum channel. By need of security we consider all
random string of bases b {, } , with n N . N is
n
EAP-TLS Conversation
remaining in d once the bits disclosed in step 2b) are In QKD-EAP-TLS Protocol, we have added certain
removed. changes in the EAP-TLS conversation. Our main objective
To understand BB84 protocol it very important to is to generate security parameters by the mechanism of
introduce how we measure a qubit in the field of quantum Quantum Cryptography and to remove all structure
physics; if we have a qubit in the state qubit a b c d based on PKI (Public Key Infrastructure).
First, we suppose the peer and the EAP server share a
so the measure of this state in the basis { b , d } produces secret noted S . Second, we have replaced in EAP-TLS
2
the state b with the probability of | a | and the state of conversation the procedure of classical process of key
exchange (such RSA or DH) by the mechanism of
2
d with the probability of |c| and of course Quantum Cryptography using the BB84 protocol.
JOURNAL OF COMPUTING, VOLUME 2, ISSUE 9, SEPTEMBER 2010, ISSN 2151-9617
HTTPS://SITES.GOOGLE.COM/SITE/JOURNALOFCOMPUTING/
WWW.JOURNALOFCOMPUTING.ORG 29
We give the modified EAP-TLS conversation the new We note that the Fig. 3 is valid if the peer received
name of Quantum EAP-TLS conversation. Fig. 3 EAP-Request from the EAP server before the end of BB84
summarizes how different messages are exchanged protocol. If the public discussion during the BB84 makes
between the peer and the EAP server during the the peer to send an EAP-Request than the schema after
Quantum EAP-TLS conversation. BB84 is illustrated in Fig. 4.
Because BB84 is vulnerable to “man in the middle”
attack [28], we verify if an eavesdropper is detected once
the execution of BB84 protocol is finished, by calculating The BB84 protocol
the TLS finished in both sides of the peer and the EAP
server. This is achieved by using the shared secret S and EAP-Request/
the key K derived from the current execution of the EAP-Type=EAP-TLS
BB84 Protocol. (TLS change_cipher_spec,
During the Quantum EAP-TLS conversation and when TLS finished)
the peer receives the TLS server_hello, it sends to the EAP
EAP-Response/
server a series of polarized photons. The number of EAP-Type=EAP-TLS
polarized photons to be send depends on the length of the (TLS change_cipher_spec,
desired key. For each photon to be transmitted, the peer TLS finished)
randomly chooses a state aij . The remaining steps (the
EAP-Success
phase of public discussion) are exactly the same as it has
described in section 4.
Fig. 4. Message flow for the Quantum EAP-TLS conversation if the
peer sends a EAP-Request before the end of the BB84 protocol.
Key-Lenght
unconditional security because the length of the key in authentication between the peer and the EAP server.
this case must be equal to data which will be encrypted In the next connection between the peer and the EAP
[32]. server we change the secret shared S by K : S K and so
TTL field (2 octets minus one bit): this field provides an any key generated by the BB84 protocol will play the role of
amount of time (in seconds) or the number of messages S in the next connection. This improves the security by
when a key could be used in authentication process. If the modifying S at any connection because this makes the task
max of messages is reached or the time is expired, the
of discovering S by an eavesdropper very hard.
mechanism of QKD started to generate a new key.
T field (one bit): this field indicates if we use the amount of 5.5 Example of Implementation of the QKD-EAP-
time or the number of messages. When its value is “0”, TLS Authenticaton Protocol
the TTL filed corresponds to the number of messages and We present in this section an example of implementing
when its value is “1”, the TTL filed shows an amount of the QKD-EAP-TLS authentication protocol.
time. Some requirements must be satisfied to this
5.4 The QKD-EAP-TLS Authenticaton Protocol in implementation:
Operation Mode a) An optical channel: Quantum Cryptography uses
Our objective is to exploit the mechanism of QKD in photons to encode information to exploit the laws of
the process of authentication. We use the key quantum physics. Actually, there are two mediums to
generated by BB84 protocol with the secret S in the transport photons: the optical fiber or free space [33]. We
expression of pre_master_key presented in formula of choose the free space because we integrate QKD in
calculation of master_secret which used in calculation wireless environment.
of the TLS finished and so we check the mutual b) Optical modem: the modem can play the role of emitter
authentication of the peer and the EAP server. of photons and detector. The objective of the optical
In operating mode, the QKD-EAP-TLS modem is to detect and to send photons. The modem has
authentication protocol begins its execution as in Fig. 3 to include a photon emitter and a photon detector and
or Fig. 4. During the BB84 protocol, the peer sends to also polarizer to encode data using different values of
the EAP server the first packet fixing the fields of Key- polarization as quantum states. It is used to provide
Length, TTL, and T. Then both the peer and the EAP quantum key but also can be used to exchange data
server start the BB84 protocol to derive a key K which depending on the method of encoding information. The
its is guaranteed by the laws of quantum physics. modem is very important because it can include the both
As the BB84 protocol is vulnerable to “man in the roles of classical and quantum channel. There are many
middle” attack, so to check if the mutual techniques employed to elaborate such modem [34]-[35].
authentication is established correctly, the peer and the Let two LAN networks connected via two optical
EAP server must calculate the TLS finished message modems as illustrated in Fig. 6. We suppose that the two
using the shared secret S and the key generated by the points A (peer) and B (EAP server) have the possession of
processus of QKD, K {0.1} , We propose:
N the same secret S . To impove the security of QKD-EAP-
TLS connection between A and B using QKD, four phases
pre _ master _ sec ret K S must be done:
Phase 1: As in Fig. 3 or Fig. 4 the points A and B execute
The TLS finished is calculated as described in section 3 by
all steps before the begining of the BB84 protocol.
the expression:
Phase 2: during the BB84 protocol, the peer (A) sends the
PRF master _ secret , finished _ label , hash handshake _ messages first packet and by the way it fixes the value of the new
fields: Key-Length, TTL and T. we propose these choices:
We remark that the calculation of TLS finished uses the Key-Length= 40 bits, TTL= 400 messages and T=0. We
key generated by QKD because we have for our QKD- must choose TTL=1 if we plan to use One Time Pad to
EAP-TLS protocol: attain unconditional security. Once theBB84 is finished,
the key K generated is stored in flash memory in both
master _ sec ret PRF ( pre _ master _ sec ret , “master sec ret ”, sides of A and B.
ClientHello.random ServerHello .random ) Phase 3: Both A and B calculate TLS finished message to
check the authentication by using the key K and the
secret S as in paragraph 5.4).
It is very important to note that in the all public messages
Phase 4: Once the Quantum EAP-TLS conversation is
exchanging during the executions of BB84 protocol are
achieved, we change the the secret S by K ( S K ) and
part of the value of the handshake_messages
the new shared secret between the peer and the EAP
Once the EAP server receives the TLS finished message
server is K .
from the peer, it calculates its own TLS finished and
verifies whether it is the same as that of the peer or not; if
yes, then the peer is successfully authenticated. The same
operation is done by the peer when it receives the TLS
finished from the EAP server. We conclude that the
mechanism of QKD is exploited in checking the mutual
JOURNAL OF COMPUTING, VOLUME 2, ISSUE 9, SEPTEMBER 2010, ISSN 2151-9617
HTTPS://SITES.GOOGLE.COM/SITE/JOURNALOFCOMPUTING/
WWW.JOURNALOFCOMPUTING.ORG 31
2010 http://www.ubicc.org/files/pdf/Chapter_UBICC_490.pdf
[31] M. Elboukhari, M. Azizi, A. Azizi, “Implementation of secure key
distribution based on quantum cryptography”, in Proc. IEEE Int. Conf
Multimedia Computing and Systems (ICMCS’09), page 361 - 365, 2009.
[32] Shannon, C.E (1949). ”Communication theory of secrecy systems”. Bell
System Technical Journal 28-4. URL:
http://www.cs.ucla.edu/jkong/research/security/shannon.html
[33] Hughes,J.Nordholt,D.Derkacs,C.Peterson, (2002). ”Practical free-space
quantum key distribution over 10km in daylight and at night”. New
journal of physics 4 (2002)43.1-43.14.URL:
http://www.iop.org/EJ/abstract/1367-2630/4/1/343/
[34] Idquantique : www.idquantique.com
[35] magiQ www.magiqtech.com
Mohamed Elboukhari received the DESA (diploma of high study)
degree in numerical analysis, computer science and treatment of
signal in 2005 from the University of Science, Oujda, Morocco. He is
currently a PhD student in the University of Oujda in the field of
computer science. His research interests include cryptography,
quantum cryptography and wireless network security.